Rietveld Code Review Tool
Help | Bug tracker | Discussion group | Source code | Sign in
(3357)

Side by Side Diff: joomla-master-htaccess.txt

Issue 4430062: Joomla master .htaccess - differences 2.4.8 - 3.3.b Base URL: http://joomla-master-htaccess.googlecode.com/svn/trunk/
Patch Set: Created 3 years ago
Left:
Right:
Use n/p to move between diff chunks; N/P to move between comments. Please Sign in to add in-line comments.
Jump to:
View unified diff | Download patch
« no previous file with comments | « no previous file | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 ############################################################################### 1 ###############################################################################
2 ## The Master .htaccess 2 ## The Master .htaccess
3 ## 3 ##
4 ## Version 2.4 (proposed) - April 16th, 2011 4 ## Version 3.3 - WORK IN PROGRESS
5 ## 5 ##
6 ## ---------- 6 ## ----------
7 ## This file is designed to be the template .htaccess file to put on your new 7 ## This file is designed to be the template .htaccess file to put on your new
8 ## sites, increasing your site's security and performance. It is not meant to 8 ## sites, increasing your site's security and performance. It is not meant to
9 ## be just dropped in your site, though. You should go through all of its 9 ## be just dropped in your site, though. You should go through all of its
10 ## sections and modify it to match your site. Most notably, all instances of 10 ## sections and modify it to match your site. Most notably, all instances of
11 ## example.com and example\.com should be replaced with your real domain name. 11 ## example.com and example\.com should be replaced with your real domain name.
12 ## 12 ##
13 ## Some sections are too picky and may cause problems with legitimate requests. 13 ## Some sections are too picky and may cause problems with legitimate requests.
14 ## You are ultimately responsible for disabling them or writing exception rules 14 ## You are ultimately responsible for disabling them or writing exception rules
(...skipping 23 matching lines...) Expand all
38 ## 38 ##
39 ## Learn more: http://www.akeebabackup.com/software/admin-tools.html 39 ## Learn more: http://www.akeebabackup.com/software/admin-tools.html
40 ## ---------------------------------------------------------------------- 40 ## ----------------------------------------------------------------------
41 ## 41 ##
42 ## Have fun, stay safe. 42 ## Have fun, stay safe.
43 ## 43 ##
44 ## Nicholas K. Dionysopoulos 44 ## Nicholas K. Dionysopoulos
45 ## Lead Developer, AkeebaBackup.com 45 ## Lead Developer, AkeebaBackup.com
46 ## 46 ##
47 ## CHANGELOG: 47 ## CHANGELOG:
48 ## Version 2.4 (proposed) (April 16th, 2011) 48 ## Version 3.3 (PENDING RELEASE)
49 ## - Dozens of speed optimisations and many logic and syntax corrections. 49 ## - Version 3.2 wasn't tested and killed some sites
50 ## Version 3.2 (April 8th, 2011)
51 ## - Some slight improvements with negligible (if any) performance impact
52 ## Version 3.1 (April 5th, 2011)
53 ## - Expiration time of static resources adjusted to 1 month instead of 1 year
54 ## - GET variables not passed along in the index.php to site root redirection
55 ## - Fixed typos
56 ## - Alternative for HTTP to HTTPS redirection
57 ## - Common exploits protection: Minor changes in comments, combined base64_enco de/base64_decode rule
58 ## - Bug in query string protection rule
59 ## - Back-end & front-end protection optimization
60 ## - Fixed the UNION SELECT SQLi rule to actually work against real attacks
61 ## - Added comments to Joomla! core SEF section
62 ## Version 3.0 (March 28th, 2011)
63 ## - Massive rewrite
50 ## Version 2.3 (November 18th, 2010) 64 ## Version 2.3 (November 18th, 2010)
51 ## - Added .ico to the pass-through rules, for favicons to load 65 ## - Added .ico to the pass-through rules, for favicons to load
52 ## Version 2.2 (October 25th, 2010) 66 ## Version 2.2 (October 25th, 2010)
53 ## - Bug in the tmpl=component rule 67 ## - Bug in the tmpl=component rule
54 ## Version 2.1 (October 19th, 2010) 68 ## Version 2.1 (October 19th, 2010)
55 ## - index.php to root redirection would kill some AJAX requests 69 ## - index.php to root redirection would kill some AJAX requests
56 ## - Referer filtering was screwed up 70 ## - Referer filtering was screwed up
57 ## - Simplified and more thorough PHP Easter Egg code (thanks Jon!) 71 ## - Simplified and more thorough PHP Easter Egg code (thanks Jon!)
58 ## - The tp/template/tmpl filter was not thorough and killed some components 72 ## - The tp/template/tmpl filter was not thorough and killed some components
59 ## - Optimized Joomla! core SEF section 73 ## - Optimized Joomla! core SEF section
60 ## - Bot filters and GZip optimization would never run for dynamic content 74 ## - Bot filters and GZip optimization would never run for dynamic content
61 ## - Content expiration optimization got more optimized 75 ## - Content expiration optimization got more optimized
62 ## - Added ETag rule 76 ## - Added ETag rule
63 ## 77 ##
64 ############################################################################### 78 ###############################################################################
65 79
66 ########## Begin - RewriteEngine enabled 80 ########## Begin - RewriteEngine enabled
67 RewriteEngine On 81 RewriteEngine On
68 ########## End - RewriteEngine enabled 82 ########## End - RewriteEngine enabled
69 83
70 ########## Begin - RewriteBase 84 ########## Begin - RewriteBase
71 # Uncomment following line if your webserver's URL 85 # Uncomment following line if your webserver's URL
g1smd 2011/04/23 17:00:09 Spaces to remove!
72 # is not directly related to physical file paths. 86 # is not directly related to physical file paths.
g1smd 2011/04/23 17:00:09 Spaces to remove!
73 # Update Your Joomla! Directory (just / for root) 87 # Update Your Joomla! Directory (just / for root)
g1smd 2011/04/23 17:00:09 Spaces to remove!
74 88
75 # RewriteBase / 89 # RewriteBase /
76 ########## End - RewriteBase 90 ########## End - RewriteBase
77 91
78 ########## Begin - No directory listings 92 ########## Begin - No directory listings
79 ## Note: +FollowSymlinks may cause problems and you might have to remove it 93 ## Note: +FollowSymlinks may cause problems and you might have to remove it
80 IndexIgnore * 94 IndexIgnore *
81 Options +FollowSymLinks All -Indexes 95 Options +FollowSymLinks All -Indexes
82 ########## End - No directory listings 96 ########## End - No directory listings
83 97
84 ########## Begin - File execution order, by Komra.de 98 ########## Begin - File execution order, by Komra.de
85 DirectoryIndex index.php index.html 99 DirectoryIndex index.php index.html
86 ########## End - File execution order 100 ########## End - File execution order
87 101
88 ########## Begin - ETag Optimization 102 ########## Begin - ETag Optimization
89 ## This rule will create an ETag for files based only on the modification 103 ## This rule will create an ETag for files based only on the modification
90 ## timestamp and their size. This works wonders if you are using rsync'ed 104 ## timestamp and their size. This works wonders if you are using rsync'ed
91 ## servers, where the inode number of identical files differs. 105 ## servers, where the inode number of identical files differs.
92 ## Note: It may cause problems on your server and you may need to remove it 106 ## Note: It may cause problems on your server and you may need to remove it
93 FileETag MTime Size 107 FileETag MTime Size
94 ########## End - ETag Optimization 108 ########## End - ETag Optimization
95 109
96 ########## Begin - Optimal default expiration time 110 ########## Begin - Optimal default expiration time
97 ## Note: this might cause problems and you might have to comment it out by 111 ## Note: this might cause problems and you might have to comment it out by
98 ## placing a hash in front of this section's lines 112 ## placing a hash in front of this section's lines
113 ## Note: Some people prefer using "now plus 1 month" instead of "now plus 1 year ".
114 ## Suit to taste.
99 <IfModule mod_expires.c> 115 <IfModule mod_expires.c>
100 # Enable expiration control 116 # Enable expiration control
101 ExpiresActive On 117 ExpiresActive On
102 118
103 # Default expiration: 1 hour after request 119 # Default expiration: 1 hour after request
104 ExpiresDefault "now plus 1 hour" 120 ExpiresDefault "now plus 1 hour"
105 121 »
106 # CSS and JS expiration: 1 week after request 122 # CSS and JS expiration: 1 week after request
107 ExpiresByType text/css "now plus 1 week" 123 ExpiresByType text/css "now plus 1 week"
108 ExpiresByType application/javascript "now plus 1 week" 124 ExpiresByType application/javascript "now plus 1 week"
109 ExpiresByType application/x-javascript "now plus 1 week" 125 ExpiresByType application/x-javascript "now plus 1 week"
110 126 »
111 # Image files expiration: 1 month after request 127 # Image files expiration: 1 month after request
112 ExpiresByType image/bmp "now plus 1 month" 128 ExpiresByType image/bmp "now plus 1 month"
113 ExpiresByType image/gif "now plus 1 month" 129 ExpiresByType image/gif "now plus 1 month"
114 ExpiresByType image/jpeg "now plus 1 month" 130 ExpiresByType image/jpeg "now plus 1 month"
115 ExpiresByType image/jp2 "now plus 1 month" 131 ExpiresByType image/jp2 "now plus 1 month"
116 ExpiresByType image/pipeg "now plus 1 month" 132 ExpiresByType image/pipeg "now plus 1 month"
117 ExpiresByType image/png "now plus 1 month" 133 ExpiresByType image/png "now plus 1 month"
118 ExpiresByType image/svg+xml "now plus 1 month" 134 ExpiresByType image/svg+xml "now plus 1 month"
119 ExpiresByType image/tiff "now plus 1 month" 135 ExpiresByType image/tiff "now plus 1 month"
120 ExpiresByType image/vnd.microsoft.icon "now plus 1 month" 136 ExpiresByType image/vnd.microsoft.icon "now plus 1 month"
121 ExpiresByType image/x-icon "now plus 1 month" 137 ExpiresByType image/x-icon "now plus 1 month"
122 ExpiresByType image/ico "now plus 1 month" 138 ExpiresByType image/ico "now plus 1 month"
123 ExpiresByType image/icon "now plus 1 month" 139 ExpiresByType image/icon "now plus 1 month"
124 ExpiresByType text/ico "now plus 1 month" 140 ExpiresByType text/ico "now plus 1 month"
125 ExpiresByType application/ico "now plus 1 month" 141 ExpiresByType application/ico "now plus 1 month"
126 ExpiresByType image/vnd.wap.wbmp "now plus 1 month" 142 ExpiresByType image/vnd.wap.wbmp "now plus 1 month"
127 ExpiresByType application/vnd.wap.wbxml "now plus 1 month" 143 ExpiresByType application/vnd.wap.wbxml "now plus 1 month"
128 ExpiresByType application/smil "now plus 1 month" 144 ExpiresByType application/smil "now plus 1 month"
129 145 »
130 # Audio files expiration: 1 month after request 146 # Audio files expiration: 1 month after request
131 ExpiresByType audio/basic "now plus 1 month" 147 ExpiresByType audio/basic "now plus 1 month"
132 ExpiresByType audio/mid "now plus 1 month" 148 ExpiresByType audio/mid "now plus 1 month"
133 ExpiresByType audio/midi "now plus 1 month" 149 ExpiresByType audio/midi "now plus 1 month"
134 ExpiresByType audio/mpeg "now plus 1 month" 150 ExpiresByType audio/mpeg "now plus 1 month"
135 ExpiresByType audio/x-aiff "now plus 1 month" 151 ExpiresByType audio/x-aiff "now plus 1 month"
136 ExpiresByType audio/x-mpegurl "now plus 1 month" 152 ExpiresByType audio/x-mpegurl "now plus 1 month"
137 ExpiresByType audio/x-pn-realaudio "now plus 1 month" 153 ExpiresByType audio/x-pn-realaudio "now plus 1 month"
138 ExpiresByType audio/x-wav "now plus 1 month" 154 ExpiresByType audio/x-wav "now plus 1 month"
139 155 »
140 # Movie files expiration: 1 month after request 156 # Movie files expiration: 1 month after request
141 ExpiresByType application/x-shockwave-flash "now plus 1 month" 157 ExpiresByType application/x-shockwave-flash "now plus 1 month"
142 ExpiresByType x-world/x-vrml "now plus 1 month" 158 ExpiresByType x-world/x-vrml "now plus 1 month"
143 ExpiresByType video/x-msvideo "now plus 1 month" 159 ExpiresByType video/x-msvideo "now plus 1 month"
144 ExpiresByType video/mpeg "now plus 1 month" 160 ExpiresByType video/mpeg "now plus 1 month"
145 ExpiresByType video/mp4 "now plus 1 month" 161 ExpiresByType video/mp4 "now plus 1 month"
146 ExpiresByType video/quicktime "now plus 1 month" 162 ExpiresByType video/quicktime "now plus 1 month"
147 ExpiresByType video/x-la-asf "now plus 1 month" 163 ExpiresByType video/x-la-asf "now plus 1 month"
148 ExpiresByType video/x-ms-asf "now plus 1 month" 164 ExpiresByType video/x-ms-asf "now plus 1 month"
149 </IfModule> 165 </IfModule>
(...skipping 29 matching lines...) Expand all
179 ########## End - Automatic compression of resources 195 ########## End - Automatic compression of resources
180 196
181 ########## Begin - Google Apps redirection, by Komra.de 197 ########## Begin - Google Apps redirection, by Komra.de
182 ## Uncomment the following line to enable: 198 ## Uncomment the following line to enable:
183 # RewriteRule ^mail http://mail.google.com/a/example.com [R=301,L] 199 # RewriteRule ^mail http://mail.google.com/a/example.com [R=301,L]
184 ## If the above doesn't work on your server, try this: 200 ## If the above doesn't work on your server, try this:
185 ## RewriteRule ^mail http://mail.google.com/a/example.com [R,L] 201 ## RewriteRule ^mail http://mail.google.com/a/example.com [R,L]
186 ########## End - Google Apps redirection 202 ########## End - Google Apps redirection
187 203
188 ########## Begin - Redirect index.php to / 204 ########## Begin - Redirect index.php to /
189 ## Note: Change example.com to reflect your own domain name 205 ## Note: Change example.com to reflect your own domain
190 RewriteCond %{THE_REQUEST} !^POST 206 RewriteCond %{THE_REQUEST} !^POST
191 RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /index\.php\ HTTP/ 207 RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /index\.php\ HTTP/
192 RewriteCond %{SERVER_PORT}>s ^(443>(s)|[0-9]+>s)$ 208 RewriteCond %{SERVER_PORT}>s ^(443>(s)|[0-9]+>s)$
193 RewriteRule ^index\.php$ http%2://www.example.com/$1 [R=301,L] 209 RewriteRule ^index\.php$ http%2://www.example.com/$1 [R=301,L]
194 # If the above line throws a 500 error, change [R=301,L] to [R,L] 210 # If the above line throws a 500 error, try this instead:
211 # RewriteRule ^index\.php$ http%2://www.example.com/$1 [R,L]
195 ########## End - Redirect index.php to / 212 ########## End - Redirect index.php to /
196 213
197 ########## Begin - Redirect non-www to www 214 ########## Begin - Redirect non-www to www
198 RewriteCond %{HTTP_HOST} !^www\. [NC] 215 RewriteCond %{HTTP_HOST} !^www\. [NC]
199 RewriteRule ^(.*)$ http://www.%{HTTP_HOST}/$1 [R=301,L] 216 RewriteRule ^(.*)$ http://www.%{HTTP_HOST}/$1 [R=301,L]
200 ## If the above throws an HTTP 500 error, swap [R=301,L] with [R,L] 217 ## If the above throws an HTTP 500 error, swap [R=301,L] with [R,L]
201 ########## End - Redirect non-www to www 218 ########## End - Redirect non-www to www
202 219
203 ########## Begin - Redirect www to non-www 220 ########## Begin - Redirect www to non-www
204 ## WARNING: Comment out the non-www to www rule if you choose to use this 221 ## WARNING: Comment out the non-www to www rule if you choose to use this
205 # RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC] 222 # RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
206 # RewriteRule ^(.*)$ http://%1/$1 [R=301,L] 223 # RewriteRule ^(.*)$ http://%1/$1 [R=301,L]
207 ## If the above throws an HTTP 500 error, swap [R=301,L] with [R,L] 224 ## If the above throws an HTTP 500 error, swap [R=301,L] with [R,L]
208 ########## End - Redirect non-www to www 225 ########## End - Redirect non-www to www
209 226
210 ########## Begin - Redirect (www.)olddomain.com to www.example.com 227 ########## Begin - Redirect (www.)olddomain.com to www.example.com
211 ## Note: olddomain.com is your old domain name, you want to redirect FROM, 228 ## Note: olddomain.com is your old domain name, you want to redirect FROM,
212 ## whereas www.example.com is the new domain name you want to redirect TO. 229 ## whereas www.example.com is the new domain name you want to redirect TO.
213 ## Change those names to reflect your current configuration. Remember, this 230 ## Change those names to reflect your current configuration. Remember, this
214 ## small part of the file is supposed to be placed in www.olddomain.com! 231 ## part of the file is supposed to be placed in www.olddomain.com!
215 ## Note: Replace [R=301,L] with [R,L] if you get error 500. 232 ## Note: Replace [R=301,L] with [R,L] if you get error 500.
216 ## Uncomment the following lines to enable: 233 ## Uncomment the following lines to enable:
217 # RewriteCond %{HTTP_HOST} ^(www\.)?olddomain\.com [NC] 234 # RewriteCond %{HTTP_HOST} ^(www\.)?olddomain\.com [NC]
218 # RewriteRule (.*) http://www.example.com/$1 [R=301,L] 235 # RewriteRule (.*) http://www.example.com/$1 [R=301,L]
219 ## Note: The above section is only required if you are changing your domain name . 236 ########## End - Redirect olddomain.com to www.example.com
g1smd 2011/04/23 17:00:09 Add (www.) to oldomanin.com on RHS.
220 ########## End - Redirect (www.)olddomain.com to www.example.com
g1smd 2011/04/23 17:00:09 Add (www.) to oldomanin.com on RHS.
221 237
222 ########## Begin - Force HTTPS for certain pages 238 ########## Begin - Force HTTPS for certain pages
223 # Force the page foobar.html to run in HTTPS mode, no matter what Joomla! says. 239 # Force the page foobar.html to run in HTTPS mode, no matter what Joomla! says.
224 # This is a sample redirection for foobar.html. Do note that you have to change 240 # This is a sample redirection for foobar.html. Do note that you have to change
225 # www.example.com to reflect your own domain. Remember to escape the dots using 241 # www.example.com to reflect your own domain. Remember to escape the dots using
226 # \. in the left hand side of each rule. You need BOTH LINES PER URL for the rul e 242 # \. in the left hand side of each rule. You need BOTH LINES PER URL for the rul e
227 # to work. 243 # to work.
228 RewriteCond %{SERVER_PORT} !^443$ 244 RewriteCond %{SERVER_PORT} !^443$
229 ## Alternatively, comment the above line and uncomment the following line: 245 ## Alternatively, comment the above line and uncomment the following line:
230 # RewriteCond %{HTTPS} ^off$ [NC] 246 # RewriteCond %{HTTPS} ^off$ [NC]
231 RewriteRule ^foobar\.html$ https://www.example.com/foobar.html [R=301,L] 247 RewriteRule ^foobar\.html$ https://www.example.com/foobar.html [R=301,L]
232 ## NOTE: If you get an HTTP 500 error, please swap [R=301,L] with [R,L] 248 ## NOTE: If you get an HTTP 500 error, please swap [R=301,L] with [R,L]
233 # Add more rules below this line as required 249 # Add more rules below this line
234 ########## End - Force HTTPS for certain pages 250 ########## End - Force HTTPS for certain pages
235 251
236 ########## Begin - Rewrite rules to block out some common exploits 252 ########## Begin - Rewrite rules to block out some common exploits
237 ## If you experience problems on your site block out the operations listed below 253 ## If you experience problems on your site block out the operations listed below
238 ## This attempts to block the most common type of exploit `attempts` to Joomla! 254 ## This attempts to block the most common type of exploit `attempts` to Joomla!
239 # 255 #
240 # If the request query string contains /proc/self/environ (by SigSiu.net) 256 # If the request query string contains /proc/self/environ (by SigSiu.net)
241 RewriteCond %{QUERY_STRING} proc/self/environ [OR] 257 RewriteCond %{QUERY_STRING} proc/self/environ [OR]
242 # Block out any script trying to set a mosConfig value through the URL 258 # Legacy variable injection (these attacks wouldn't work w/out Joomla! 1.5's Leg acy Mode plugin)
243 # (these attacks wouldn't work w/out Joomla! 1.5's Legacy Mode plugin)
244 RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR] 259 RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
245 # Block out any script trying to base64_encode or base64_decode data within the URL 260 # Block out any script trying to base64_encode/base64_decode data to send via UR L
246 RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [OR] 261 RewriteCond %{QUERY_STRING} base64_(en|de)code\(.*\) [OR]
247 ## IMPORTANT: If the above line throws an HTTP 500 error, replace it with these 2 lines: 262 ## IMPORTANT: If the above line throws an HTTP 500 error, replace it with these 2 lines:
248 # RewriteCond %{QUERY_STRING} base64_encode\(.*\) [OR] 263 # RewriteCond %{QUERY_STRING} base64_encode\(.*\) [OR]
249 # RewriteCond %{QUERY_STRING} base64_decode\(.*\) [OR] 264 # RewriteCond %{QUERY_STRING} base64_decode\(.*\) [OR]
250 # Block out any script that includes a <script> tag in URL 265 # Block out any script that includes a <script> tag in URL
251 RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR] 266 RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
252 # Block out any script trying to set a PHP GLOBALS variable via URL 267 # Block out any script trying to set a PHP GLOBALS variable via URL
253 RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR] 268 RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
254 # Block out any script trying to modify a _REQUEST variable via URL 269 # Block out any script trying to modify a _REQUEST variable via URL
255 RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) 270 RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
256 # Return 403 Forbidden header and show the content of the root homepage 271 # Return a 403 Forbidden header and show the content of the root homepage
257 RewriteRule .* index.php [F] 272 RewriteRule .* index.php [F]
258 # 273 #
259 ########## End - Rewrite rules to block out some common exploits 274 ########## End - Rewrite rules to block out some common exploits
260 275
261 ########## Begin - File injection protection, by SigSiu.net 276 ########## Begin - File injection protection, by SigSiu.net
262 RewriteCond %{REQUEST_METHOD} GET 277 RewriteCond %{REQUEST_METHOD} GET
263 RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR] 278 RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR]
264 RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [OR] 279 RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [OR]
265 RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC] 280 RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC]
266 RewriteRule .* - [F] 281 RewriteRule .* - [F]
267 ########## End - File injection protection 282 ########## End - File injection protection
268 283
269 ########## Begin - Advanced server protection rules exceptions #### 284 ########## Begin - Advanced server protection rules exceptions ####
270 ## 285 ##
271 ## These are sample exceptions to the Advanced Server Protection 3.1 286 ## These are sample exceptions to the Advanced Server Protection 3.0
g1smd 2011/04/23 17:00:09 The code is much altered since August 2010. The 3.
272 ## rule set further down this file. 287 ## rule set further down this file.
273 ## 288 ##
274 ## Allow UddeIM CAPTCHA 289 ## Allow UddeIM CAPTCHA
275 RewriteRule ^components/com_uddeim/captcha15\.php$ - [L] 290 RewriteRule ^components/com_uddeim/captcha15\.php$ - [L]
276 ## Allow Phil Taylor's Turbo Gears 291 ## Allow Phil Taylor's Turbo Gears
277 RewriteRule ^plugins/system/GoogleGears/gears-manifest\.php$ - [L] 292 RewriteRule ^plugins/system/GoogleGears/gears-manifest\.php$ - [L]
278 ## Allow JoomlaWorks AllVideos 293 ## Allow JoomlaWorks AllVideos
279 RewriteRule ^plugins/content/jw_allvideos/includes/jw_allvideos_scripts\.php$ - [L] 294 RewriteRule ^plugins/content/jw_allvideos/includes/jw_allvideos_scripts\.php$ - [L]
280 ## Allow Admin Tools Joomla! updater to run 295 ## Allow Admin Tools Joomla! updater to run
281 RewriteRule ^administrator/components/com_admintools/restore\.php$ - [L] 296 RewriteRule ^administrator/components/com_admintools/restore\.php$ - [L]
282 ## Allow Akeeba Backup Professional's integrated restoration script to run 297 ## Allow Akeeba Backup Professional's integrated restoration script to run
283 RewriteRule ^administrator/components/com_akeeba/restore\.php$ - [L] 298 RewriteRule ^administrator/components/com_akeeba/restore\.php$ - [L]
284 ## Allow Akeeba Kickstart 299 ## Allow Akeeba Kickstart
285 RewriteRule ^kickstart\.php$ - [L] 300 RewriteRule ^kickstart\.php$ - [L]
286 301
287 # Add more rules to single PHP files here 302 # Add more rules to single PHP files here
288 303
289 ## Allow Agora attachments, but not PHP files in that directory! 304 ## Allow Agora attachments, but not PHP files in that directory!
290 RewriteCond %{REQUEST_FILENAME} !(\.php)$ 305 RewriteCond %{REQUEST_FILENAME} !(\.php)$
291 RewriteCond %{REQUEST_FILENAME} -f 306 RewriteCond %{REQUEST_FILENAME} -f
292 RewriteRule ^components/com_agora/img/members/ - [L] 307 RewriteRule ^components/com_agora/img/members/ - [L]
293 308
294 # Add more rules for allowing full access (except PHP files) on more directories here 309 # Add more rules for allowing full access (except PHP files) on more directories here
295 310
296 ## Uncomment to allow full access to the cache directory (strongly not recommend ed!) 311 ## Uncomment to allow full access to the cache directory (strongly not recommend ed!)
297 #RewriteRule ^cache/ - [L] 312 #RewriteRule ^cache/ - [L]
298 ## Uncomment to allow full access to the tmp directory (strongly not recommended !) 313 ## Uncomment to allow full access to the tmp directory (strongly not recommended !)
299 #RewriteRule ^tmp/ - [L] 314 #RewriteRule ^tmp/ $1 [L]
g1smd 2011/04/23 17:00:09 The $1 is a typo. Should be - (hyphen).
300 315
301 # Add more full access rules here 316 # Add more full access rules here
302 317
303 ########## End - Advanced server protection rules exceptions #### 318 ########## End - Advanced server protection rules exceptions ####
304 319
305 ########## Begin - Advanced server protection 320 ########## Begin - Advanced server protection
306 # Advanced server protection, version 3.1 - April 2011 321 # Advanced server protection, version 2.0 - August 2010
g1smd 2011/04/23 17:00:09 The code is much altered since August 2010. The 2.
307 # by Nicholas K. Dionysopoulos 322 # by Nicholas K. Dionysopoulos
308 323
309 ## Referrer filtering for common media files. Replace with your own domain name. 324 ## Referrer filtering for common media files. Replace with your own domain.
310 ## This blocks most common fingerprinting attacks ;) 325 ## This blocks most common fingerprinting attacks ;)
311 ## Note: Change www\.example\.com with your own domain name, substituting the 326 ## Note: Change www\.example\.com with your own domain name, substituting the
312 ## dots with \. i.e. use www\.example\.com for www.example.com 327 ## dots with \., i.e.: www\.example\.com for www.example.com
313 RewriteRule ^images/stories/([^/]+/)*([^/.]+\.)+(jp(e?g|2)?|png|gif|bmp|css|js|s wf|ico)$ - [L] 328 RewriteRule ^images/stories/.*\.(jp(e?g|2)?|png|gif|bmp|css|js|swf|ico)$ - [L]
g1smd 2011/04/23 17:00:09 The .* is inefficient. ([^/]+/)*([^/.]+\.)+ will r
314 RewriteCond %{HTTP_REFERER} . 329 RewriteCond %{HTTP_REFERER} .
315 RewriteCond %{HTTP_REFERER} !^https?://(www\.)?example\.com [NC] 330 RewriteCond %{HTTP_REFERER} !^https?://(www\.)?example\.com [NC]
316 RewriteRule \.(jp(e?g|2)?|png|gif|bmp|css|js|swf|ico)$ - [F] 331 RewriteRule \.(jp(e?g|2)?|png|gif|bmp|css|js|swf|ico)$ - [F]
317 332
318 ## Disallow visual fingerprinting of Joomla! sites (module position dump) 333 ## Disallow visual fingerprinting of Joomla! sites (module position dump)
319 ## Initial idea by Brian Teeman and Ken Crowder, see: 334 ## Initial idea by Brian Teeman and Ken Crowder, see:
320 ## http://www.slideshare.net/brianteeman/hidden-joomla-secrets 335 ## http://www.slideshare.net/brianteeman/hidden-joomla-secrets
321 ## Improved by @nikosdion to work more efficiently and handle template 336 ## Improved by @nikosdion to work more efficiently and handle template
322 ## and tmpl query parameters 337 ## and tmpl query parameters
323 RewriteCond %{QUERY_STRING} (^|&)tmpl=(component|system) [NC] 338 RewriteCond %{QUERY_STRING} (^|&)tmpl=(component|system) [NC]
324 RewriteRule .* - [L] 339 RewriteRule .* - [L]
325 RewriteCond %{QUERY_STRING} (^|&)t(p|emplate|mpl)= [NC] 340 RewriteCond %{QUERY_STRING} (^|&)t(p|emplate|mpl)= [NC]
326 RewriteRule .* - [F] 341 RewriteRule .* - [F]
327 342
328 ## Disallow PHP Easter Eggs (can be used in fingerprinting attacks to determine 343 ## Disallow PHP Easter Eggs (can be used in fingerprinting attacks to determine
329 ## your PHP version). See http://www.0php.com/php_easter_egg.php and 344 ## your PHP version). See http://www.0php.com/php_easter_egg.php and
330 ## http://osvdb.org/12184 for more information 345 ## http://osvdb.org/12184 for more information
331 RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4} -[0-9a-f]{12} [NC] 346 RewriteCond %{QUERY_STRING} \=PHP[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4} -[a-f0-9]{12} [NC]
g1smd 2011/04/23 17:00:09 This is a hexadecimal match: [0-9a-f] [NC].
g1smd 2011/04/23 17:00:09 This is a hexadecimal match: [0-9a-f] [NC].
332 RewriteRule .* - [F] 347 RewriteRule .* - [F]
333 348
334 ## Back-end protection 349 ## Back-end protection
335 ## This also blocks fingerprinting attacks browsing for XML and INI files 350 ## This also blocks fingerprinting attacks browsing for XML and INI files
336 RewriteRule ^administrator/?$ - [L] 351 RewriteRule ^administrator/?$ - [L]
337 RewriteRule ^administrator/index\.(php|html?)$ - [L] 352 RewriteRule ^administrator/index\.(php|html?)$ - [L]
338 RewriteRule ^administrator/index[23]\.php$ - [L] 353 RewriteRule ^administrator/index[23]\.php$ - [L]
339 RewriteRule ^administrator/(components|modules|templates|images|plugins)/([^/]+/ )*([^/.]+\.)+(jp(e?g|2)?|png|gif|bmp|css|js|swf|html?|mp(eg?|[34])|avi|wav|og[gv ]|xlsx?|docx?|pptx?|zip|rar|pdf|xps|txt|7z|svg|od[tsp]|flv|mov)$ - [L] 354 RewriteRule ^administrator/(components|modules|templates|images|plugins)/.*\.(jp (e?g|2)?|png|gif|bmp|css|js|swf|html?|mp(eg?|[34])|avi|wav|og[gv]|xlsx?|docx?|pp tx?|zip|rar|pdf|xps|txt|7z|svg|od[tsp]|flv|mov)$ - [L]
g1smd 2011/04/23 17:00:09 The .* is inefficient. ([^/]+/)*([^/.]+\.)+ will r
340 RewriteRule ^administrator/ - [F] 355 RewriteRule ^administrator/ - [F]
341 356
342 ## Explicitly allow access only to XML-RPC's xmlrpc/index.php or plain xmlrpc/ d irectory 357 ## Explicitly allow access only to XML-RPC's xmlrpc/index.php or plain xmlrpc/ d irectory
343 RewriteRule ^xmlrpc/(index\.php)?$ - [L] 358 RewriteRule ^xmlrpc/(index\.php)?$ - [L]
344 RewriteRule ^xmlrpc/ - [F] 359 RewriteRule ^xmlrpc/ - [F]
345 360
346 ## Disallow front-end access for certain Joomla! system directories 361 ## Disallow front-end access for certain Joomla! system directories
347 RewriteRule ^includes/js/ - [L] 362 RewriteRule ^includes/js/ - [L]
348 RewriteRule ^(cache|includes|language|libraries|logs|tmp)/ - [F] 363 RewriteRule ^(cache|includes|language|libraries|logs|tmp)/ - [F]
349 364
350 ## Allow limited access for certain Joomla! system directories with client-acces sible content 365 ## Allow limited access for certain Joomla! system directories with client-acces sible content
351 RewriteRule ^(components|modules|plugins|templates)/([^/]+/)*([^/.]+\.)+(jp(e?g| 2)?|png|gif|bmp|css|js|swf|html?|mp(eg?|[34])|avi|wav|og[gv]|xlsx?|docx?|pptx?|z ip|rar|pdf|xps|txt|7z|svg|od[tsp]|flv|mov)$ - [L] 366 RewriteRule ^(components|modules|plugins|templates)/.*\.(jp(e?g|2)?|png|gif|bmp| css|js|swf|html?|mp(eg?|[34])|avi|wav|og[gv]|xlsx?|docx?|pptx?|zip|rar|pdf|xps|t xt|7z|svg|od[tsp]|flv|mov)$ - [L]
g1smd 2011/04/23 17:00:09 The .* is inefficient. ([^/]+/)*([^/.]+\.)+ will r
352 ## Uncomment this line if you have extensions which require direct access to the ir own 367 ## Uncomment this line if you have extensions which require direct access to the ir own
353 ## custom index.php files. Note that this is UNSAFE and the developer should be ashamed 368 ## custom index.php files. Note that this is UNSAFE and the developer should be ashamed
354 ## for being so lame, lazy and security unconscious. 369 ## for being so lame, lazy and security unconscious.
355 # RewriteRule ^(components|modules|plugins|templates)/([^/]+/)*(index\.php)?$ - [L] 370 # RewriteRule ^(components|modules|plugins|templates)/.*(index\.php)?$ - [L]
g1smd 2011/04/23 17:00:09 The .* is inefficient. ([^/]+/)* will recurse zero
356 ## Uncomment the following line if your template requires direct access to PHP f iles 371 ## Uncomment the following line if your template requires direct access to PHP f iles
357 ## inside its directory, e.g. GZip compressed copies of its CSS files 372 ## inside its directory, e.g. GZip compressed copies of its CSS files
358 # RewriteRule ^templates/([^/]+/)*([^/.]+\.)+php$ - [L] 373 # RewriteRule ^templates/.*\.php$ - [L]
g1smd 2011/04/23 17:00:09 The .* is inefficient. ([^/]+/)*([^/.]+\.)+ will r
359 RewriteRule ^(components|modules|plugins|templates)/ - [F] 374 RewriteRule ^(components|modules|plugins|templates)/ - [F]
360 375
361 ## Disallow rogue scripts in your site's root 376 ## Disallow rogue scripts in your site's root
362 # Exception: Allow Joomla!'s index.php and index2.php files 377 # Exception: Allow Joomla!'s index.php and index2.php files
363 RewriteRule ^index2?\.php$ - [L] 378 RewriteRule ^index2?\.php$ - [L]
364 ## If you disable the back-end protection above, please add this line: 379 ## If you disable the back-end protection above, please add this line:
365 # RewriteRule ^administrator/index[23]?\.php$ - [L] 380 # RewriteRule ^administrator/index[23]?\.php$ - [L]
366 RewriteRule ^([^/.]+\.)+php$ - [F] 381 RewriteRule ^.*\.php$ - [F]
g1smd 2011/04/23 17:00:09 The .* is inefficient. Also the comment says "root
367 382
368 ## Disallow access to htaccess.txt, configuration.php, configuration.php-dist an d php.ini 383 ## Disallow access to htaccess.txt and configuration.php-dist
g1smd 2011/04/23 17:00:09 and php.ini
369 RewriteRule ^(htaccess\.txt|configuration\.php(-dist)?|php\.ini)$ - [F] 384 RewriteRule ^(htaccess\.txt|configuration\.php-dist|php\.ini)$ - [F]
370 385
371 ## SQLi first line of defense, thanks to Radek Suski (SigSiu.net) @ 386 ## SQLi first line of defense, thanks to Radek Suski (SigSiu.net) @
372 ## http://www.sigsiu.net/presentations/fortifying_your_joomla_website.html 387 ## http://www.sigsiu.net/presentations/fortifying_your_joomla_website.html
373 ## May cause problems on legitimate requests 388 ## May cause problems on legitimate requests
374 RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR] 389 RewriteCond %{QUERY_STRING} concat.*\( [NC,OR]
375 RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR] 390 RewriteCond %{QUERY_STRING} union.*select.*\( [NC,OR]
376 RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC] 391 RewriteCond %{QUERY_STRING} union.*all.*select.* [NC]
377 RewriteRule .* - [F] 392 RewriteRule .* - [F]
378 393
379 ########## End - Advanced server protection 394 ########## End - Advanced server protection
380 395
381 ########## Begin - Basic antispam Filter, by SigSiu.net 396 ########## Begin - Basic antispam Filter, by SigSiu.net
382 ## I removed some common words, tweak to your liking 397 ## I removed some common words, tweak to your liking
383 ## This code uses PCRE and works only with Apache 2.x. 398 ## This code uses PCRE and works only with Apache 2.x.
384 ## This code will NOT work with Apache 1.x servers. 399 ## This code will NOT work with Apache 1.x servers.
385 RewriteCond %{QUERY_STRING} \b(ambien|blue\spill|cialis|cocaine|ejaculation|erec tile)\b [NC,OR] 400 RewriteCond %{QUERY_STRING} \b(ambien|blue\spill|cialis|cocaine|ejaculation|erec tile)\b [NC,OR]
386 RewriteCond %{QUERY_STRING} \b(erections|hoodia|huronriveracres|impotence|levitr a|libido)\b [NC,OR] 401 RewriteCond %{QUERY_STRING} \b(erections|hoodia|huronriveracres|impotence|levitr a|libido)\b [NC,OR]
387 RewriteCond %{QUERY_STRING} \b(lipitor|phentermin|pro[sz]ac|sandyauer|tramadol|t royhamby)\b [NC,OR] 402 RewriteCond %{QUERY_STRING} \b(lipitor|phentermin|pro[sz]ac|sandyauer|tramadol|t royhamby)\b [NC,OR]
403 ## Note: The final RewriteCond must NOT use the [OR] flag.
388 RewriteCond %{QUERY_STRING} \b(ultram|unicauca|valium|viagra|vicodin|xanax|ypxai eo)\b [NC] 404 RewriteCond %{QUERY_STRING} \b(ultram|unicauca|valium|viagra|vicodin|xanax|ypxai eo)\b [NC]
389 ## Note: The final RewriteCond must NOT use the [OR] flag.
390 RewriteRule .* - [F] 405 RewriteRule .* - [F]
391 ## Note: The previous lines are a "compressed" version 406 ## Note: The previous lines are a "compressed" version
392 ## of the filters. You can add your own filters as: 407 ## of the filters. You can add your own filters as:
393 ## RewriteCond %{QUERY_STRING} \bbadword\b [NC,OR] 408 ## RewriteCond %{QUERY_STRING} \bbadword\b [NC,OR]
394 ## where "badword" is the word you want to exclude. 409 ## where "badword" is the word you want to exclude
395 ########## End - Basic antispam Filter, by SigSiu.net 410 ########## End - Basic antispam Filter, by SigSiu.net
396 411
397 ########## Begin - Joomla! core SEF Section 412 ########## Begin - Joomla! core SEF Section
398 # 413 #
399 RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}] 414 RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
400 #
401 # If the requested path and file is not /index.php and the request 415 # If the requested path and file is not /index.php and the request
402 # has not already been internally rewritten to the index.php script 416 # has not already been internally rewritten to the index.php script
403 RewriteCond %{REQUEST_URI} !^/index\.php 417 RewriteCond %{REQUEST_URI} !^/index\.php
404 # and the request is for the site root, or for an extensionless URL, 418 # and the request is for the site root, or for an extensionless URL,
405 # or the requested URL ends with one of the listed extensions 419 # or the requested URL ends with one of the listed extensions
406 RewriteCond %{REQUEST_URI} /component/|(/[^.]*|\.(php|html?|feed|pdf|vcf|raw|ini |zip|json|file))$ [NC] 420 RewriteCond %{REQUEST_URI} /component/|(/[^.]*|\.(php|html?|feed|pdf|raw|ini|zip |json|file|vcf))$ [NC]
g1smd 2011/04/23 17:00:09 vcf is after pdf and before raw in the official fi
g1smd 2011/04/23 17:00:09 vcf is after pdf and before raw in the official fi
407 # and the requested path and file doesn't directly match a physical file 421 # and the requested path and file doesn't directly match a physical file
408 RewriteCond %{REQUEST_FILENAME} !-f 422 RewriteCond %{REQUEST_FILENAME} !-f
409 # and the requested path doesn't directly match a physical folder 423 # and the requested path doesn't match a physical folder
410 RewriteCond %{REQUEST_FILENAME} !-d 424 RewriteCond %{REQUEST_FILENAME} !-d
411 # internally rewrite the request to the index.php script 425 # internally rewrite the request to the index.php script
412 RewriteRule .* index.php [L] 426 RewriteRule .* index.php [L]
413 # 427 #
414 ########## End - Joomla! core SEF Section 428 ########## End - Joomla! core SEF Section
OLDNEW
« no previous file with comments | « no previous file | no next file » | no next file with comments »

Powered by Google App Engine
RSS Feeds Recent Issues | This issue
This is Rietveld 1278:e6ce13d99bf5